Managing Active Directory groups is probably one of the simplest tasks you perform on a regular basis. It’s right up there with resetting a password. Because it takes little effort — and even less thought — it can often be easily dismissed as a routine, unimportant task.
In a recent webinar I hosted with Imanami, we asked the audience to provide some anecdotes about challenges they have faced when managing Active Directory groups. Here are some of the repeating themes we uncovered, along with a few quotes from IT pros just like you:
Security Risks Created by Lack of Management
Groups are the pathway to provide access to the internal network, Active Directory, applications, and data. A lack of attention here could get you in trouble.
“We have several groups that still have disabled users in them as well as users who no longer work for the company. We have groups that don’t have ownership or any description of what the group does. I’m actually in the middle of a huge AD cleanup.”
Think of the security implications here: there’s no clear understanding of why groups even exist, and some groups contain users who are no longer even employees. This reminds me of a recent story about an IT admin who was fired but had created a backdoor account for himself before leaving, because he had suspected that he would be fired. After being terminated, he logged in and wreaked a bit of havoc for his former employer.
Re-reading the quote above shows how easy it could be. Nest a few groups that link all the way to the Domain Admins and perhaps to the VPN access group, and place a seemingly benign user account in one of these nested groups — bingo. Someone has external access. And no one within IT is any the wiser….
Without any kind of documentation or determination of who is responsible for managing a given group, groups often simply fall by the wayside. And because no one is exactly sure if there will be a negative impact by deleting a group, the groups simply remain in existence.
“We have too many groups. We have over 1,100 groups with no members alone.”
And this IT pro hasn’t even addressed issues such as whether any of these groups are nested, what resources they have access to, etc.
Too Many Ignorant Hands in the AD Soup
The number of users with privileged access in Active Directory should be as limited as possible. But often, it’s easier to simply give someone Admin rights either to the domain or to one or more OUs. When you add to that a lack of documenting why groups exist and where they provide access to, you have a recipe for disaster.
“Too many IT folks have access to modify groups without understanding their purpose. And we have no auditing of AD object changes to track them.”
This is a trifecta of group management problems:
- too many people
- no idea how changes in membership will impact the organization
- no ability to see who is modifying what
Changing Your Reality
The examples above are only three of the themes mentioned. If any of these resonate with you, it’s time to change how you implement group management. A shift in thinking is required. Groups must be seriously regarded as a means to access everything within your organization. Group management needs to shift from being that thing you do to close a helpdesk ticket to being seen as a task that has the potential to cause serious problems if not handled correctly.
Group existence, memberships (dynamic and delegated), and ownership all need to be addressed in a way that puts the process of group creation, membership modification, and assignment of permissions into the proper context.
If you’re interested in learning more about the right way to manage Active Directory groups, then check out What’s the Right Way to Manage Groups in Active Directory?